IEEE 802.1x—Flexible Authentication

First Published: November 11, 2008

Last Updated: March 30, 2011

The IEEE 802.1x—Flexible Authentication feature provides a means of assigning authentication methods to ports and specifying the order in which the methods are executed when an authentication attempt fails. Using this feature, you can control which ports use which authentication methods, and you can control the failover sequencing of methods on those ports.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for IEEE 802.1x—Flexible Authentication" section.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn.An account on Cisco.com is not required.

Prerequisites for IEEE 802.1x—Flexible Authentication

IEEE 802.1x—Port-Based Network Access Control

You should understand the concepts of port-based network access control and have an understanding of how to configure port-based network access control on your Cisco platform. For more information, see the documentation for your Cisco platform and the Cisco IOS Security Configuration Guide: Securing User Services.

Before you can use the IEEE 802.1x—Flexible Authentication feature, the switch must be connected to a Cisco secure ACS and RADIUS authentication, authorization, and accounting (AAA) must be configured for Web authentication. If appropriate, you must enable ACL download.

If the authentication order includes the 802.1x port authentication method, you must enable IEEE 802.1x authentication on the switch.

If the authentication order includes web authentication, configure a fallback profile that enables web authentication on the switch and the interface.

RADIUS and ACLs

You should understand the concepts of the RADIUS protocol and have an understanding of how to create and apply access control lists (ACLs). For more information, see the documentation for your Cisco platform and the Cisco IOS Security Configuration Guide: Securing User Services.

The switch must have a RADIUS configuration and be connected to the Cisco secure access control server (ACS). For more information, see the Configuration Guide for CISCO Secure ACS.

Restrictions for IEEE 802.1x—Flexible Authentication

In Cisco IOS Release 12.2(33)SXI, the web authentication method cannot fail over to the 802.1x or the MAB authentication method. So, when you configure authentication order, no other authentication method can follow web authentication.

Information About IEEE 802.1x—Flexible Authentication

To set up IEEE 802.1x—Flexible Authentication, you should understand the following concepts:

Overview of the Cisco IOS Auth Manager

The capabilities of devices connecting to a given network can be different, thus requiring that the network support different authentication methods and authorization policies. The Cisco IOS Auth Manager handles network authentication requests and enforces authorization policies, regardless of authentication method. The Auth Manager maintains operational data for all port-based network connection attempts, authentications, authorizations, and disconnections and as such, serves as a session manager.

The possible states for Auth Manager sessions are:

•Idle—In the idle state, the authentication session has been initialized, but no methods have yet been run. This is an intermediate state.

•Running—A method is currently running. This is an intermediate state.

•Authc Success— The authentication method has run successfully. This is an intermediate state.

•Authc Failed—The authentication method has failed. This is an intermediate state.

•Authz Success—All features have been successfully applied for this session. This is a terminal state.

•Authz Failed—At least one feature has failed to be applied for this session. This is a terminal state.

•No methods—No method provided a result for this session. This is a terminal state.

Authentication Order and Authentication Priority

The IEEE 802.1x—Flexible Authentication feature enables authentication order and authentication priority. The authentication order command sets the default authentication priority. You can use the authentication priority command to override the default authentication priority. For example, you might specify an authentication order of MAB and 802.1x. However, after authorization, you might not want to ignore subsequent 802.1x handshakes. In this case, you can give the 802.1x authentication method a higher priority than the MAB method.

RFCs

RFC

Title

RFC 3580

IEEE 802.1x Remote Authentication Dial In User Service (RADIUS)

Technical Assistance

Description

Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

Feature Information for IEEE 802.1x—Flexible Authentication

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Note Table 1 lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Table 1 Feature Information for IEEE 802.1x—Flexible Authentication

Feature Name

Releases

Feature Information

IEEE 802.1x—Flexible Authentication

12.2(33)SXI

This feature provides a means of configuring ports with one or more authentication methods and specifying the order in which those authentication methods are attempted.

The following commands were removed or made obsolete: dot1x fallback, dot1x host-mode, dot1x port control.

Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.